The VTech Hack, Exposing Thousands of Children’s Data


December 2, 2015 | DevOps | joanna mastrocola


It looks like another tech company has been added to the naughty list. Children’s toymaker VTech has been hacked, the breach affecting over 5 million customers. The worst part?… This time it’s our children’s information that’s at risk.  

In response to the November 14th breach of its Learning Lodge app store, VTech suspended its app stores across the world. The hack affected 5 million customers, revealing names, email addresses, passwords, IP addresses, mailing addresses, download histories, and secret questions as well as the genders and birthdays of the children in the VTech database.

Here’s everything you need to know:

VTech has confirmed that 4.9 million parent accounts were compromised, and 6.4 million related children’s profiles tied to those accounts were also exposed. NBC news points out that VTech is working to downplay the hack by ensuring customers that credit card information was not compromised. It is important to note that although you can cancel an exposed credit card and eliminate most risk, you can’t simply retract your children’s leaked personal information…. once it’s out there, it’s out there.

Wired reports that the breach went unnoticed for 10 days. Although this seems to be an improvement from other breaches that have gone unnoticed for months it is still unsettling to realize that a majority of breaches are not discovered immediately.

This piece from engadget points out that this story is particularly interesting because it involves products for children, which typically don’t get much coverage when it comes to data security. This observation begs the question, should companies geared toward children put an even bigger focus on data security than companies selling to adults?  

Security analyst Troy Hunt has a very different story and perspective than VTech. According to Hunt 227,000 of the 4.8million people affected were children. Hunt argues that contrary to claims by VTech, the kids passwords that were stolen weren’t encrypted at all.

The scariest aspect of this breach is that children’s photos were stored on the breached data base as well as chat logs between parents and their kids. VTech still hasn’t clarified why this type of information was kept there in the first place.

It seems now that every company is a target, regardless of their industry, because of the vast amount of information that is being captured. It is important for companies to keep in mind that both applications and infrastructure are vulnerable to these types of attacks. Because of this, it is crucial to have a solution to identify, authorize, and audit all of these rapidly moving parts. As companies move faster to stay ahead of the competition, they increasingly run the risk of sacrificing security, and put their sensitive data at risk.






Keep up-to-date on security best practices, events and webinars.

Share This